1155304 – SELinux is preventing httpd from read access on the key Unknown (during FreeIPA deployment via rolekit, F21 Beta TC4)

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1155304 - SELinux is preventing httpd from read access on the key Unknown (during FreeIPA deployment via rolekit, F21 Beta TC4)

Summary: SELinux is preventing httpd from read access on the key Unknown (during FreeI...

Keywords:
Status:	CLOSED DUPLICATE of bug 1155301
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy-targeted
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	F21BetaBlocker
TreeView+	depends on / blocked

Reported:	2014-10-21 21:14 UTC by Adam Williamson
Modified:	2014-10-22 14:58 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-10-22 14:58:52 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Bugzilla	1155301	0	unspecified	CLOSED	SELinux denies certmonger dbus requests during FreeIPA deployment with rolekit	2022-05-16 11:32:56 UTC
Red Hat Bugzilla	1155329	0	unspecified	CLOSED	SELinux is preventing named from create access on the file DNS_25 (during FreeIPA deployment via rolekit, F21 Beta TC4)	2022-05-16 11:32:56 UTC

Internal Links: 1155301 1155329

Description Adam Williamson 2014-10-21 21:14:01 UTC

This is another SELinux denial encountered when deploying FreeIPA via rolekit in Fedora 21 Beta TC4, following https://fedorahosted.org/rolekit/wiki/DomainController .

SELinux is preventing httpd from read access on the key Unknown.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that httpd should be allowed read access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        httpd
Source Path                   httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:48 PDT
Last Seen                     2014-10-21 13:34:48 PDT
Local ID                      9c444489-fd41-4345-a831-0aedca4e1cd1
 
Raw Audit Messages
type=AVC msg=audit(1413923688.483:574): avc:  denied  { read } for  pid=6382 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1

There is a matching denial for { write }:

SELinux is preventing httpd from write access on the key Unknown.
 
*****  Plugin catchall (100. confidence) suggests   **************************
 
If you believe that httpd should be allowed write access on the Unknown key by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
 
 
Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:unconfined_service_t:s0
Target Objects                Unknown [ key ]
Source                        httpd
Source Path                   httpd
Port                          <Unknown>
Host                          <Unknown>
Source RPM Packages          
Target RPM Packages          
Policy RPM                    selinux-policy-3.13.1-85.fc21.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     ipa001.domain.local
Platform                      Linux ipa001.domain.local 3.17.0-301.fc21.x86_64
                              #1 SMP Wed Oct 8 20:10:50 UTC 2014 x86_64 x86_64
Alert Count                   1
First Seen                    2014-10-21 13:34:48 PDT
Last Seen                     2014-10-21 13:34:48 PDT
Local ID                      f302b7c6-17b2-416e-9ceb-c02b53280093
 
Raw Audit Messages
type=AVC msg=audit(1413923688.508:575): avc:  denied  { write } for  pid=6382 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:unconfined_service_t:s0 tclass=key permissive=1
 
 
Hash: httpd,httpd_t,unconfined_service_t,key,write

Log messages around this time:

Oct 21 13:34:45 ipa001.domain.local roled[3817]: 2014-10-21 13:34:45 ERROR: ipa         : DEBUG    args='/usr/sbin/ipa-client-install' '--on-master' '--unattended' '--domain' 'domain.local' '--server' 'ipa001.domain.local' '--realm' 'DOMAIN.LOCAL' '--hostname' 'ipa001.domain.local'
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00000000 utils.c:87:GetDaemonPid() Can't open /var/run/pcscd/pcscd.pid: No such file or directory
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00027921 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003571 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003844 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003981 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00057417 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00003654 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005025 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00006426 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004724 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004551 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00005456 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:48 ipa001.domain.local pcscd[6403]: 00004838 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:49 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:49 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 01913391 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00007573 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00006100 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005847 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00005779 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6376]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00081112 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004950 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004485 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004236 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local pcscd[6403]: 00004164 winscard.c:266:SCardConnect() Reader E-Gate 0 0 Not Found
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 1
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 1
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 2
Oct 21 13:34:50 ipa001.domain.local httpd[6377]: GSSAPI client step 2
Oct 21 13:34:50 ipa001.domain.local ns-slapd[5961]: GSSAPI server step 3
Oct 21 13:34:51 ipa001.domain.local kernel: traps: nsupdate[6430] trap stack segment ip:7f4f28fbb64f sp:7f4f246fe0d0 error:0
Oct 21 13:34:52 ipa001.domain.local abrt-hook-ccpp[6431]: Saved core dump of pid 6427 (/usr/bin/nsupdate) to /var/tmp/abrt/ccpp-2014-10-21-13:34:51-6427 (44654592 bytes)

I'm not sure of the exact consequences of this denial: I hit it in Permissive mode, and can't test in Enforcing because the deployment will fail earlier due to #1155301 . Nominating as a Beta blocker on the possibility that it may cause deployment to fail:

"Release-blocking roles and the supported role configuration interfaces must meet the core functional Role Definition Requirements to the extent that supported roles can be successfully started, stopped, brought to a working configuration, and queried."

https://fedoraproject.org/wiki/Fedora_21_Beta_Release_Criteria#Roles

Comment 1 Miroslav Grepl 2014-10-22 14:58:52 UTC


*** This bug has been marked as a duplicate of bug 1155301 ***

Note You need to log in before you can comment on or make changes to this bug.